On Wed, 19 Oct 2005, Chris Edwards wrote: > At Glasgow uni we operate our own campus certificate authority, which > signs server certificates for many services hosted centrally, and also > services hosted in departments.
Indeed. Although, for less-stringent purposes, we have also used self-signed certificates. It's been a while since I actually did that, but, as I recall it, the generation of a self-signed certificate in openssl produces a certificate which is, in effect, its own CA. Some applications which use certificates (e.g Mozilla) have the ability to remember that an individual certificate is trusted, but others (e.g PINE) wanted a CA to be installed in the openssl framework (or else certificate verification had to be suppressed, which isn't nice) - for that purpose, we had to derive a particular format from the self-signed certificate, make it available to the client stations, and put it into the place where the trusted CAs are kept. Back then, I see from my mail archive that I was following a tutorial at tirian.magd.ox.ac.uk, whose URL is irrelevant now as I see that it is now a permanent redirect to: http://www.gagravarr.org/writing/openssl-certs/email.shtml The alternative (if many server certificates are involved) seems to be a self-signed CA, which is then used to sign the individual certificates. The tutorial is written as for PINE, but the certificates are being put into the system's openssl framework, so they aren't by any means specific to PINE - they should be good for any certificated server activity based on openssl. I won't try to reproduce too many details here, as I'm sure to get them wrong after this lapse of time, so if anyone wants to pursue this, could I refer you to the tutorial? But, coming back to Chris and the campus's "corporate CA": > This scheme would be no use if for example we were selling stuff to > arbitary customers out on the net. But in our environment, where > the majority of our "customers" are using our services every day, it > works well. Yes indeed. [...] > Whereas I'm not sure how a commercial CA could distinguish an > arbitary member of staff (or student, or member of the public) > fraudulently claiming to be responsible for IT in the Physics > department, and hence decline the request. One might hope that they'd only respond to an official Order. But, as you say, *they* still wouldn't know whether the order had been placed in the name of someone authorised to run a secure server. At least the official order would represent some kind of internal audit trail, no? all the best -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
